PatchSiren cyber security CVE debrief
CVE-2026-42527 Apache CVE debrief
The CVE record for CVE-2026-42527 was published on 2026-07-06T09:16:35.657Z and has not been modified since then. The NVD entry is currently Analyzed. This Deserialization of Untrusted Data vulnerability in Apache Camel, specifically in the default ObjectInputFilter pattern used by several components, allows classes whose hashCode/equals/readObject methods perform network I/O, such as java.net.URL and java.net.InetAddress. An attacker can exploit this by delivering a Java-serialized payload to an affected Camel consumer, potentially causing the JVM to issue DNS queries to the attacker-supplied host during deserialization. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components include camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository).
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Apache Camel versions from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0 should be aware of this vulnerability. Specifically, operators managing Apache Camel deployments, platform administrators responsible for the underlying infrastructure, vulnerability management teams assessing the risk of affected components, and security teams validating the effectiveness of mitigations should prioritize reviewing and addressing this issue.
Technical summary
A Deserialization of Untrusted Data vulnerability exists in Apache Camel, specifically in the default ObjectInputFilter pattern used by several components. This pattern allows classes whose hashCode/equals/readObject methods perform network I/O, such as java.net.URL and java.net.InetAddress. An attacker can exploit this by delivering a Java-serialized payload to an affected Camel consumer, potentially causing the JVM to issue DNS queries to the attacker-supplied host during deserialization.
Defensive priority
High priority should be given to upgrading to a version that contains the CAMEL-23372 fix: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line.
Recommended defensive actions
- Upgrade to a version that contains the CAMEL-23372 fix: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line.
- Configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation.
- Override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!
- Perform inventory checks to identify potentially affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository
- Configure compensating controls, such as monitoring and exception tracking, to detect potential exploitation attempts.
Evidence notes
The CVE record was published on 2026-07-06T09:16:35.657Z and has not been modified since then. The NVD entry is currently Analyzed. The vulnerability affects Apache Camel versions from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0.
Official resources
-
CVE-2026-42527 CVE record
CVE.org
-
CVE-2026-42527 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:35.657Z and has not been modified since then. The NVD entry is currently Analyzed.